From 93397a774fc5cd1aceec0b4329c8f96c708559a5 Mon Sep 17 00:00:00 2001
From: Philip Sargent <philip.sargent@gmail.com>
Date: Fri, 25 Aug 2023 22:08:04 +0300
Subject: fix _edit access loophole

---
 core/views/expo.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'core/views/expo.py')

diff --git a/core/views/expo.py b/core/views/expo.py
index 3e36862..900ca32 100644
--- a/core/views/expo.py
+++ b/core/views/expo.py
@@ -379,10 +379,11 @@ def editexpopage(request, path):
         o = open(filepath, "r", encoding="utf8")
         html = o.read()
         autogeneratedmatch = re.search(
-            r"\<\!--\s*(.*?(Do not edit|It is auto-generated).*?)\s*--\>", html, re.DOTALL + re.IGNORECASE
+            r"\<\!--\s*(.*?(Do not edit|It is auto-generated|NOEDIT).*?)\s*--\>", html, re.DOTALL + re.IGNORECASE
         )
         if autogeneratedmatch:
-            return HttpResponse(autogeneratedmatch.group(1))
+            message = "\tThis page is either auto-generated, and so cannot be edited,\n\t\tor it is too complex to allow users to edit it safely. \n\n\t\tA safer means of updating this page is on the programmers' to-do list."
+            return render(request, "errors/notice.html", {"message": message})
         m = re.search(r"(.*)<head([^>]*)>(.*)</head>(.*)<body([^>]*)>(.*)</body>(.*)", html, re.DOTALL + re.IGNORECASE)
         if m:
             filefound = True
-- 
cgit v1.2.3